[FD] Visual Paradigm Server v10.0 - Cross Site Scripting (XSS) Nov 27 2015 11:50AM
Manuel Mancera (mmancera a2secure com)
Visual Paradigm Server v10.0 - Cross Site Scripting (XSS)

Name: Visual Paradigm Server v10.0 - Cross Site Scripting (XSS)
Affected Software : Visual Paradigm Server
Affected Versions: 10.0
Vendor Homepage : http://www.visual-paradigm.com
Vulnerability Type : Cross Site Scripting
Severity : Low
CVE: n/a

Visual Paradigm Server is a service that is installed with Visual
Paradigm Teamwork Server. It is used to manage the license server accounts.

A vulnerability has been detected in login.jsp that allow an attacker
execute arbitrary javascript in the browser context of a victim and
could steal the cookie of a user and hijack his session.

Proof of Concept URL

Install a higher version, the last version is 12.2

Advisory Timeline

26/11/2015 - Informed vendor about the issue
26/11/2015 - Vendor responded
27/11/2015 - Vendor say that just this version (10.0) is affected by
this vulnerability, and this version is deprecated. (Also I reported
other XSS in his website and they fixed)
27/11/2015 - Vulnerability published

Credits & Authors
Manuel Mancera (@sinkmanu)


All information is provided without warranty. The intent is to provide
information to secure infrastructure and/or systems, not to be able to
attack or damage. Therefore A2Secure shall not be liable for any direct
or indirect damages that might be caused by using this information.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus